Sebastian Krahmer from the SUSE Security Team discovered two off-by-one
errors in the function "f_name()" in file sender.c when processing
overly long directory names.

Impact

A remote attacker could entice a user to synchronize a repository
containing specially crafted directories, leading to the execution of
arbitrary code with the privileges of the user running the application.